Date: 22 Mar 2001 20:29:43 +0300 From: Ilya Martynov <m_ilya@agava.com> To: Chris Byrnes <chris@jeah.net> Cc: ostap <ostap@ukrpost.net>, <freebsd-security@FreeBSD.ORG> Subject: Re: DoS attack - advice needed Message-ID: <86wv9hpv94.fsf@juil.domain> In-Reply-To: <Pine.BSF.4.33.0103221116450.8421-100000@awww.jeah.net> References: <Pine.BSF.4.33.0103221116450.8421-100000@awww.jeah.net>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "CB" == Chris Byrnes <chris@jeah.net> writes:
CB> And, while we're on the subject, who needs ICMP? I haven't
CB> found a valid use for it.
ping uses type 0 and 8
traceroute uses 11
type 3 is required for TCP/UDP traffic
Here cite from Linux IPCHAINS-HOWTO that describes why you should not
block type 3 (destination-unreachable):
A worse problem is the role of ICMP packets in MTU discovery. All
good TCP implementations (Linux included) use MTU discovery to try
to figure out what the largest packet that can get to a destination
without being fragmented (fragmentation slows performance,
especially when occasional fragments are lost). MTU discovery works
by sending packets with the "Don't Fragment" bit set, and then
sending smaller packets if it gets an ICMP packet indicating
"Fragmentation needed but DF set" (`fragmentation-needed'). This is
a type of `destination-unreachable' packet, and if it is never
received, the local host will not reduce MTU, and performance will
be abysmal or non-existent.
--
Ilya Martynov
AGAVA Software Company, http://www.agava.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86wv9hpv94.fsf>